Organization Preparation FAILED The ErrorRecord: Microsoft.Exchange.Data.Directory.ADObjectAlreadyExistsException: Active Directory operation failed

Hi people,

I'm having some problem with the following error message when executing the Exchange Server 2010 SP3 installation on my Schema Master domain controller under my admin account:

    Organization Preparation FAILED The following error was generated when "$error.Clear();
        initialize-ExchangeUniversalGroups -DomainController $RoleDomainController -ActiveDirectorySplitPermissions $RoleActiveDirectorySplitPermissions" was run: "Active Directory operation failed on PRODDC01.MyDomain.com. The object 'OU=Microsoft Exchange Security Groups,DC=MyDomain,DC=com' already exists.".

Open in new window


I'm trying to delete the "Microsoft Exchange Security Groups" in AD Users & Computers console with advanced view, but somehow the search returns no result ?

Any help and suggestion would be appreciated muchly.

Thanks.
LVL 8
Senior IT System EngineerIT ProfessionalAsked:
Who is Participating?
 
Gareth GudgerConnect With a Mentor Commented:
Hey ITSystemEngineer,

This is what you should normally see.

ExchangeGroups.jpg
0
 
Senior IT System EngineerIT ProfessionalAuthor Commented:
and this is the part of the ExchangeSetup.Log for more details:

[12/22/2014 18:01:09.0096] [1] Executing:
      initialize-ExchangeUniversalGroups -DomainController $RoleDomainController -ActiveDirectorySplitPermissions $RoleActiveDirectorySplitPermissions
[12/22/2014 18:01:09.0299] [2] Active Directory session settings for 'initialize-ExchangeUniversalGroups' are: View Entire Forest: 'True', Configuration Domain Controller: 'PRODDC01.MyDomain.com', Preferred Global Catalog: 'PRODDC01.MyDomain.com', Preferred Domain Controllers: '{ PRODDC01.MyDomain.com }'
[12/22/2014 18:01:09.0299] [2] Beginning processing initialize-ExchangeUniversalGroups -DomainController:'PRODDC01.MyDomain.com' -ActiveDirectorySplitPermissions:$null
[12/22/2014 18:01:09.0315] [2] Used domain controller PRODDC01.MyDomain.com to read object DC=MyDomain,DC=com.
[12/22/2014 18:01:09.0315] [2] Used domain controller PRODDC01.MyDomain.com to read object CN=Configuration,DC=MyDomain,DC=com.
[12/22/2014 18:01:09.0315] [2] Used domain controller PRODDC01.MyDomain.com to read object CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=MyDomain,DC=com.
[12/22/2014 18:01:10.0940] [2] Active Directory operation failed on PRODDC01.MyDomain.com. The object 'OU=Microsoft Exchange Security Groups,DC=MyDomain,DC=com' already exists.
[12/22/2014 18:01:10.0940] [2] The object exists.
[12/22/2014 18:01:11.0143] [2] Ending processing initialize-ExchangeUniversalGroups
[12/22/2014 18:01:11.0143] [1] The following 1 error(s) occurred during task execution:
[12/22/2014 18:01:11.0143] [1] 0.  ErrorRecord: Active Directory operation failed on PRODDC01.MyDomain.com. The object 'OU=Microsoft Exchange Security Groups,DC=MyDomain,DC=com' already exists.
[12/22/2014 18:01:11.0143] [1] 0.  ErrorRecord: Microsoft.Exchange.Data.Directory.ADObjectAlreadyExistsException: Active Directory operation failed on PRODDC01.MyDomain.com. The object 'OU=Microsoft Exchange Security Groups,DC=MyDomain,DC=com' already exists. ---> System.DirectoryServices.Protocols.DirectoryOperationException: The object exists.
   at System.DirectoryServices.Protocols.LdapConnection.ConstructResponse(Int32 messageId, LdapOperation operation, ResultAll resultType, TimeSpan requestTimeOut, Boolean exceptionOnTimeOut)
   at System.DirectoryServices.Protocols.LdapConnection.SendRequest(DirectoryRequest request, TimeSpan requestTimeout)
   at Microsoft.Exchange.Data.Directory.PooledLdapConnection.SendRequest(DirectoryRequest request, LdapOperation ldapOperation, IAccountingObject budget, Nullable`1 clientSideSearchTimeout)
   at Microsoft.Exchange.Data.Directory.ADSession.ExecuteModificationRequest(ADObject entry, DirectoryRequest request, ADObjectId originalId, Boolean emptyObjectSessionOnException)
   --- End of inner exception stack trace ---
   at Microsoft.Exchange.Data.Directory.ADSession.AnalyzeDirectoryError(PooledLdapConnection connection, DirectoryRequest request, DirectoryException de, Int32 totalRetries, Int32 retriesOnServer)
   at Microsoft.Exchange.Data.Directory.ADSession.ExecuteModificationRequest(ADObject entry, DirectoryRequest request, ADObjectId originalId, Boolean emptyObjectSessionOnException)
   at Microsoft.Exchange.Data.Directory.ADSession.Save(ADObject instanceToSave, IEnumerable`1 properties)
   at Microsoft.Exchange.Management.Tasks.InitializeExchangeUniversalGroups.CreateExchangeUSGContainer(String name, ADSystemConfigurationSession session, ADObjectId domain)
   at Microsoft.Exchange.Management.Tasks.InitializeExchangeUniversalGroups.InternalProcessRecord()
   at Microsoft.Exchange.Configuration.Tasks.Task.ProcessRecord()
[12/22/2014 18:01:11.0158] [1] The following error was generated when "$error.Clear();
      initialize-ExchangeUniversalGroups -DomainController $RoleDomainController -ActiveDirectorySplitPermissions $RoleActiveDirectorySplitPermissions" was run: "Active Directory operation failed on PRODDC01.MyDomain.com. The object 'OU=Microsoft Exchange Security Groups,DC=MyDomain,DC=com' already exists.".
[12/22/2014 18:01:11.0158] [1] Active Directory operation failed on PRODDC01.MyDomain.com. The object 'OU=Microsoft Exchange Security Groups,DC=MyDomain,DC=com' already exists.
[12/22/2014 18:01:11.0158] [1] The object exists.
[12/22/2014 18:01:11.0158] [1] [ERROR-REFERENCE] Id=443949901 Component=
[12/22/2014 18:01:11.0158] [1] Setup is stopping now because of one or more critical errors.
[12/22/2014 18:01:11.0158] [1] Finished executing component tasks.
[12/22/2014 18:01:11.0377] [1] Ending processing Install-ExchangeOrganization
[12/22/2014 18:01:11.0580] [0] The Exchange Server setup operation didn't complete.  More details can be found in ExchangeSetup.log located in the <SystemDrive>:\ExchangeSetupLogs folder.
[12/22/2014 18:01:11.0783] [0] End of Setup
[12/22/2014 18:01:11.0783] [0] **********************************************
0
 
Gareth GudgerCommented:
Hi ITSystemsEngineer,

So are you upgrading from a previous version of Exchange 2010? If so, the only schema update you need to do is.

Setup.com /PrepareAD

You don't need to run any of the others. Check out my blog post on upgrading to SP3 here.

https://supertekboy.com/2014/05/01/exchange-2010-installing-service-pack-3/

I would also recommend NEVER moving or deleting the Exchange Security Groups.
0
Never miss a deadline with monday.com

The revolutionary project management tool is here!   Plan visually with a single glance and make sure your projects get done.

 
Senior IT System EngineerIT ProfessionalAuthor Commented:
Hi Gareth,

I'm trying to update SP2 to SP3 and yes, I only try to execute the "Setup.com /PrepareAD" command in the AD/DC Schema master role but it is failed.

The AD security group is not exist in the ADUC console ?
0
 
Gareth GudgerConnect With a Mentor Commented:
Interesting. That OU should definitely exist. It should be right under the domain root. Is this a single-domain forest? If you have multiple domains in the forest make sure you run this command from the root domain.

Any chance Exchange was set up with split-AD permissions?

Does your account also have Enterprise Admin rights?
0
 
Senior IT System EngineerIT ProfessionalAuthor Commented:
Well it doesn't exist in the root domain. but somehow setup.com complains that it exist in AD eventhough I can't see it anywhere.

Yes this is just a single domain forest. I don't have multiple.

split-AD permissions? what is that ? I'm new to Exchange Server 2010

My account is already granted or member of the Enterprise, Domain and Schema admins.
0
 
AmitConnect With a Mentor IT ArchitectCommented:
Follow this:

1) Upgrade the schema for Exchange 2010 SP3. If you have Enterprise and Schema Admin rights, setup will do it automatically, however if not, then AD team is required to perform this task.

 Purpose of this Schema Update:
 ===================

 In Order to have the Exchange 2010 SP3 deployed across the environment, it is a prerequisite to have the Active Directory Schema to be extended for supporting Exchange 2010 SP3. During this upgrade, the Active Directory Schema will be extended to support Exchange 2010 SP3.

 Steps to be performed for this upgrade:
 ================================

 Reference Article –
http://technet.microsoft.com/en-in/library/bb629560(v=exchg.141).aspx 

 Prerequisites: AD account need to be member of following groups
 Member of: Domain Admin, Enterprise Admin, Schema Admin

 Install Active Directory Management Tools (Run this Command, if Required)
 ServerManagerCmd -i RSAT-ADDS

 Software Location Exchange 2010 SP3
http://www.microsoft.com/en-us/download/details.aspx?id=36768

 Download it and extracting it run below command for preparing the schema.

  setup /PrepareLegacyExchangePermissions (Optional):
  Check C:\ExchangeSetupLogs\ExchangeSetup.log for successful completion
  Setup /PrepareSchema
  Check C:\ExchangeSetupLogs\ExchangeSetup.log for successful completion
  Setup /PrepareAD /OrganizationName:"Your Org Name"
  Check C:\ExchangeSetupLogs\ExchangeSetup.log for successful completion

 How to verify schema version?
http://technet.microsoft.com/en-in/library/bb125224%28v=exchg.141%29.aspx 

2) Steps for Upgrading Exchange 2010 to SP3

 Software Location:
 1) Exchange 2010 SP3: http://www.microsoft.com/en-in/download/details.aspx?id=36768

 Note: Any Interim Updates for Exchange Server 2010 must be uninstalled prior to installing this update.

 As I have all roles in one server in a 2 node DAG. Kindly perform the below steps.

 Phase 1: Upgrading Database Availability Groups to Exchange 2010 SP3 (Start with Passive)

 Note: Make sure to take full Exchange backup, including system state or any custom setting related to CAS role. Do save the OWA folder under bin path too. During SP3 installation, Exchange setup removes all SP2 related folders; in case you have any proxying it might fail, so make sure to upgrade all servers, however one by one.

 1) Open Exchange Management Shell, browse to script folder and run below command
       
 .\StartDagServerMaintenance.ps1 -serverName servername

 Note: This script move all Exchange related component including database to another server.
             
 2) Disable the Forefront by using below command (It might ask you to stop few Exchange services)

 fscutility /disable

 3) Stop the OS Antivirus services and Monitoring Agent for Microsoft Exchange Server

 4) Verify Backups are completed.

 5) Run the SP3 setup files using GUI or goto run setup /m:upgrade. If you are getting IIS component error goto run setup /mode:upgrade /installwindowscomponents

 Note: If you are getting this error "A Restart from a Previous Installation is Pending"

 Open regedit and delete the HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\PendingFileRenameOperations key and Rerun Setup.

 Ref: http://technet.microsoft.com/en-us/library/cc164360(v=exchg.80).aspx

 6) Reboot the server

 7) After reboot verify below logs for any error:
       
 Event Logs
 
 Setup Logs (C:\ExchangeSetupLogs)

 Services - All Exchange related services are running.
       
 Check IIS Settings are not changed.
       
 Check Authentication settings from EMC for OWA/OMA/ESW. If you find any change revert back to old.
       
 8) Enable Forefront Protection for Exchange. Command fscutility /enable (It might ask you to stop few Exchange services)

 9) Start OS Antivirus and Exchange Monitoring Agent Services
       
 10) .\StopDagServerMaintenance.ps1 -serverName servername

 11) Now use same steps on another server in DAG.

 -------------------------------------------------------------------------------------------------

Phase 2: Upgrade Management Tools

 If you have installed management tools in any other machine make sure to upgrade those also.
 -------------------------------------------------------------------------------------------------
Finally: - how to verify the upgrade.

 Goto Powershell and type below command.

 GCM exsetup |%{$_.Fileversioninfo}
0
 
Senior IT System EngineerIT ProfessionalAuthor Commented:
Thanks fo the reply Amit.

Since I'm running the setup.com from the DC using RDP, so do I have to run "ServerManagerCmd -i RSAT-ADDS" ?

My problem is in the missing Exchange AD Security group which stops me in continuing the SP3 upgrade.
0
 
AmitIT ArchitectCommented:
If you are running from DC, then you don't need it. Did you try to ran cmd as administrator and tried.
0
 
Senior IT System EngineerIT ProfessionalAuthor Commented:
Yes I have already tried with the Run as Administrator.
not sure as to why this missing security group stopping me from installing SP3 :-/
0
 
AmitIT ArchitectCommented:
That is an important group, you run prepare domain first using sp2 and then try again.
0
 
Senior IT System EngineerIT ProfessionalAuthor Commented:
ok, so in Exchange Server 2010 environment (all SP version), does that group MUST exist in the Active Directory Users & Computers console under the domain.com ?

My understanding is that it was only needed for Exchange Server 2007 but not 2010.

Why do I have to run it using the older setup files on my working production servers ?
0
 
Gareth GudgerConnect With a Mentor Commented:
Yes. Those groups are required in 2010 as well. They are critical to Exchange RBAC model.

I wonder if someone moved that OU or those groups to somewhere else in Active Directory.

One of these groups is Organization Management. That group is basically rights over the entire Exchange environment.

If you go to the Properties of your own user account and check the Member Of tab. Do you see Organization Management listed?
0
 
Senior IT System EngineerIT ProfessionalAuthor Commented:
Gareth,

I cannot see it under my Member Of tab. When I run the Exchange BPA, the wizard result reports that the group is empty.

However, I can still add myself into the group using the Exchange Management console from Outlook Web App.

Upon checking the membeship from ADUC console in the member of tab, I got this error pop up when clicking on the Organization Management group.

---------------------------
Active Directory Domain Services
---------------------------
There is no such object on the server.
---------------------------
OK  
---------------------------

but the entry still exist on the Member Of tab.

Re-running the Setup.com /PrepareAD in the Schema Master role elevated command prompt still gives me the same error message.
0
 
Senior IT System EngineerIT ProfessionalAuthor Commented:
I'm not sure hot to check if my Exchange Server was setup as split permission or RBAC by my predecessor.
Is there any way to check it ?

DO I have to execute the service pack as the following command instead ?
Setup.com /PrepareAD /ActiveDirectorySplitPermissions:True

Open in new window

0
 
Gareth GudgerCommented:
I am assuming a search of AD doesn't turn up the Organization Management group either?

Check this article. Specifically the last section titled "Switch from Active Directory split permissions to shared permissions"
http://technet.microsoft.com/en-us/library/dd638146(v=exchg.150).aspx

To disable split-permissions you would actually toggle it to False.
0
 
Senior IT System EngineerIT ProfessionalAuthor Commented:
search of AD doesn't turn up the Organization Management group either?

yes that is the case, I cannot find all of the following security group through the ADUC:

"Exchange Organization Administrators"
"Microsoft Exchange Security Groups"
"Organization Management"

but when I execute the powershell command below I can see them listed and associated with my user account and some groups.

[PS] C:\Windows\system32>get-rolegroupmember "organization management" | ft -AutoSize

Name                                 RecipientType
----                                 -------------
Exchange Organization Administrators Group
Administrator                        UserMailbox
Alex Santana                         UserMailbox
Mail Security Service Account        UserMailbox
John Henry                               UserMailbox


[PS] C:\Windows\system32>get-rolegroupmember "recipient management" | ft -AutoSize

Name                              RecipientType
----                              -------------
Exchange Recipient Administrators Group
IT-Helpdesk-HeadOffice            Group


[PS] C:\Windows\system32>

Gareth,
My goal here is to allow SP3 installation to be applied in all Exchange 2010 servers, I don't want to mess around with the current security scheme because i don't know how to set it up and why it was setup before.
0
 
Gareth GudgerCommented:
I wonder if there is anything wrong with that DC perhaps. I noticed setup was hitting PRODDC1.

Maybe we could force setup to use another DC?

Can't remember if you can couple /PrepareAD with /DomainController switches.
0
 
AmitIT ArchitectCommented:
Better call MS.
0
 
Gareth GudgerCommented:
One other random thought. Not sure what level your AD forest is at.

But those objects aren't in the AD Lost and Found / Recycle Bin are they?
0
 
Senior IT System EngineerIT ProfessionalAuthor Commented:
Gareth, both Domain and Forest functional level is at Windows Server 2003

Somehow I cannot find the result after following this steps in http://technet.microsoft.com/en-us/library/dd379509(v=ws.10).aspx

here's the view from the Lost & Found:Lost
0
 
Gareth GudgerCommented:
Yea I agree with Amit. I think this is a call to Microsoft.
0
 
Senior IT System EngineerIT ProfessionalAuthor Commented:
ok, I'm inclined towards doing the steps described here: http://www.itguydiaries.net/2012/07/omg-exchange-security-groups-were.html

I know that the error message is different but somehow I cannot find all of the Exchange builtin Security group that were supposed to be there.

so can I actually perform the steps described in the above web page and then continuing with the Setup.com /prepareAD without causing any email downtime or problem later on ?
0
 
Gareth GudgerCommented:
Hmmm. I've seen these steps before. Never tried them though.
0
 
Senior IT System EngineerIT ProfessionalAuthor Commented:
yeah, that's the thing.
Because the error message in the ExchangeSetup.LOG is totally different from what you can see in the blog above.

But interestingly is that the author of the blog describes how to repopulate the builtin AD security group to continue with the SP installation.

My assumption is that during the Schema update /Extension in the Domain Controller, Exchange will still be working during business hours right ? please correct me if I'm wrong.
0
 
Gareth GudgerCommented:
There is no downtime while you are running the schema updates.
0
 
Senior IT System EngineerIT ProfessionalAuthor Commented:
ok so in my case here I need some clarification. Does the normal working condition of Exchange server 2010 requires the following example of the built in security group to exist in AD ?
Exchange Organization Administrators"
"Microsoft Exchange Security Groups"
"Organization Management"

Regardless what the security mechanism that is used.

I got confused myself as to why I must recreate the simple AD security group through Setup.com package.
0
 
Senior IT System EngineerIT ProfessionalAuthor Commented:
Thanks Gareth,

So in order to restore those missing groups is there any outage required to run those setup.com /prepareAD after clearing the corrupted ADSI edit entry ?
0
 
Gareth GudgerConnect With a Mentor Commented:
Nope. Shouldn't be any outage at all.
0
 
Senior IT System EngineerIT ProfessionalAuthor Commented:
Thanks !
0
 
Senior IT System EngineerIT ProfessionalAuthor Commented:
ok, I just realized that my AD user account cannot see those builtin AD security group.
I can now see them using the DOMAIN\Administrator account.

That's very strange :-/ because my DOMAIN\Username is already member of the Schema and the Enterprise Administrator, but somehow it is showing the Security group as corrupted object,
0
All Courses

From novice to tech pro — start learning today.